The Internet Isn’t Vulnerable – It’s a Weapon

In the United States, there is a basic rule of thumb that at some point after a block of metal undergoes a certain amount of manufacturing, it becomes a rifle. When approximately 80 percent of the manufacturing is complete, the metal is not a weapon; at 81 percent, it is.

A weapon is dangerous; it is often regulated, and more often than not, it has safety standards to protect the operator. There is a tipping point when the raw material becomes something different.

Applying this concept to the Internet as a whole brings up an interesting question: at what point do its issues and vulnerabilities shift the Internet from a global resource to something unintended?

Recent accusations of foreign powers influencing the US presidential election make for great headlines. The public discourse continues to look at how our connected, digital lives are now vulnerable to compromise. Nation-states and lone actors can exploit vulnerabilities to attack the core services that power the Internet.

With recent attacks, it is now clear the Internet isn’t just vulnerable; the Internet is a weapon. Like any weapon, we need to start treating it differently to protect it.

Simple Endless Weakness

We have moved past the Advanced Persistent Threat (APT) and now live in a world of the Simple Endless Weakness. Why waste the money developing unique, highly complex malware to accomplish a task?

Burning carefully-crafted attack code that will quickly have a signature and behavior profile seems pointless when you can use an attack so ubiquitous it could be attributed to anyone. When the majority of sites cannot pass an OWASP Top 10 scan, we no longer need zero-days to inflict damage on a large scale.

Like a bent cartoon rifle pointed back at itself, it can do damage that operators with near zero skill can’t understand and don’t predict.

At what point is the Internet no longer an infrastructure but the sum of its vulnerabilities? When we reach the point when the vast majority of the Internet is made up of unpatched, vulnerable and poorly-configured devices that can be orchestrated to inflict devastation – doesn’t that majority make it a weapon?

A tool can be a weapon, and a weapon can be a tool. However, if the tool is used more and more frequently as a weapon, should it be treated as a tool or a weapon?

This may seem melodramatic when looking at the loss of Netflix for a few hours, but will it be farfetched when a power grid goes offline? What about air traffic control?

Protocols Aren’t Diplomacy

The world of statecraft used to be one of overt and covert “diplomacy.” In diplomacy, you have protocols. Rules of engagement allow for communication to occur via the proper channels. The Internet is no different. It uses BGP, TCP, UDP and a plethora of others to facilitate communication. However, the Internet protocols aren’t diplomacy. They are much closer to the double agents; they are allies and saboteurs at the same time.

The recent DynDNS attacks showed us how attacks on DNS infrastructure can cause massive service outages. By its nature, the Internet was always interconnected to provide redundancy. Like the alliances designed to prevent wars, our shared infrastructure was meant to strengthen us. Now, it is used against us.

Diplomatic protocols were designed to prevent wars. What happens when those protocols are used as a weapon of war?

Perhaps we would get further protecting the Internet if we treated it as a weapon and not a flawed tool. How we should do that is anyone’s guess. Much like Pandora’s Box, it is already open.

We could look at regulation like the gun safety laws weapons’ manufacturers follow. We could look at the Cyber UL to guide manufacturers to make more secure devices.

No matter what we do, we need to stop looking at the Internet as an always-on resource and instead as one that, if not actively protected, will become a weapon of mass destruction for anyone that wants to use it.

About the Author:Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, SOX, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. Ean also holds a CISSP certification. He can be found at: https://www.eanmeyer.com

Editor’s Note:The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.